Cybercriminals use deceased staff accounts to spread Nemty ransomware


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Cybercriminals will often use brute-force attacks, phishing emails, and existing data dumps to break into corporate networks but there is one area that is often ignored to a company's detriment: ghost accounts.
It is not always the case that when a staff member leaves their employ, whether due to a new job offer, changes of circumstance, illness, or in unfortunate cases, death, that their accounts are removed from corporate networks.
This oversight is one that cybercriminals are now taking advantage of, and in a recent case, actively exploited in order to spread ransomware.
In a case study documented by Sophos' cyberforensics group Rapid Response on Tuesday, an organization reached out after being infected by Nemty ransomware.
According to Sophos, the ransomware -- also known as Nefilim -- impacted over 100 systems, encrypting valuable files and demanding payment in return for a decryption key. [...]
"Ransomware is the final payload in a longer attack," noted Peter Mackenzie, Rapid Response manager. "It is the attacker telling you they already have control of your network and have finished the bulk of the attack. Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts."
This particular case was a destructive one. A new user account was covertly created and added to the domain admin group in Active Directory, and this account was used to delete roughly 150 virtual servers and deploy Microsoft BitLocker to encrypt existing server backups, piling on the pressure for payment. However, the victim organization was able to restore its systems through offline backups.
The cybersecurity team asked who the high privilege administration account belonged to. The victim company said the account belonged to a former member of staff who passed away approximately three months before the cyberintrusion.
Instead of revoking access and closing down the 'ghost' account, the firm chose to keep it active and open "because there were services that it was used for."